The SitePoint Forums have moved.

You can now find them here.
This forum is now closed to new posts, but you can browse existing content.
You can find out more information about the move and how to open a new account (if necessary) here.
If you get stuck you can get support by emailing forums@sitepoint.com

If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

How serious is register_globals on?

I know that best practices dictates that php.ini have register_globals off. But how serious of a security risk (if at all) is it to have register_globals on? I would like examples of how having it on might pose security risks. So that I can judge how serious this is.

If I was writing an app, I would have it off. But the problem is that some applications (let's just say, oh, osCommerce) needs it on. So that question is should I turn it on. Or should I patch osCommerce so that it works with register_globals off?

Does ZenCart (and what was that other spin-off?) require register_globals on? If not, should I use that instead?

the setting itself is harmless. code can written to be just as secure if register_globals is turned on as it is without it. you dont need to use the functionality the setting offers(eg, you can still use the superglobals)

where the problems arise is from coders who do not fully understand the possibilities with it. bad code has the potential to become even worse with register_globals on. it can encourage/support poor coding practices. theres a lot of bad code out there.

whether an application requires_register globals or not shouldnt be the deciding factor for you. the quality of the code is more important; bad code is bad code. im not able to offer any advice on the quality of either software you listed though.

I did some extra searching, and I am now pretty much convinced that one should not turn register_globals on. I'll be leaving the flag off (even on websites and servers that are not mine) and will work around it (ie with patch, etc).